{"description": "Enterprise techniques used by Rising Sun, ATT&CK software S0448 (v2.1)", "name": "Rising Sun (S0448)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) has used HTTP and HTTPS for command and control.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can archive data using RC4 encryption and Base64 encoding prior to exfiltration.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) has executed commands using `cmd.exe /c \u201c > <%temp%>\\AM. tmp\u201d 2>&1`.(Citation: McAfee Sharpshooter December 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) has collected data and files from a compromised host.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) has decrypted itself using a single-byte XOR scheme. Additionally, [Rising Sun](https://attack.mitre.org/software/S0448) can decrypt its configuration data at runtime.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) variants can use SSL for encrypting C2 communications.(Citation: Bleeping Computer Op Sharpshooter March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can send data gathered from the infected machine via HTTP POST request to the C2.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. [Rising Sun](https://attack.mitre.org/software/S0448) can enumerate the compilation timestamp of Windows executable files.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can modify file attributes to hide files.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can clear a memory blog in the process by overwriting it with junk bytes.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can delete files and artifacts it creates.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "Configuration data used by [Rising Sun](https://attack.mitre.org/software/S0448) has been encrypted using an RC4 stream algorithm.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can enumerate all running processes and process information on an infected machine.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) has identified the OS product name from a compromised host by searching the registry for `SOFTWARE\\MICROSOFT\\Windows NT\\ CurrentVersion | ProductName`.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can detect network adapter and IP address information.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can test a connection to a specified network IP address over a specified port number.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[Rising Sun](https://attack.mitre.org/software/S0448) can detect the username of the infected host.(Citation: McAfee Sharpshooter December 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Rising Sun", "color": "#66b1ff"}]}